Conventional operating systems, such as Microsoft Windows or GNU/Linux, have not been designed to have strong security constraints. The result is a poorly secure design in the form of an operating system which uses operative layers which can be represented in accordance with different models, such as the OSI (open systems interconnection) model.
Within the scope of a gateway server 17 (FIG. 1), also known as a ‘proxy’, this representation can be carried out simply in three levels:                a first, control level 16 comprises a kernel which manages the operations carried out by the applications of the operating system, in particular by allocating resources to these applications and by controlling the communication between these resources. The kernel is typically a monolithic kernel, although a modular approach can be selected to manage, in particular, each resource offered by the operating system.        
A monolithic kernel of this type includes low-level software, such as the scheduler, process manager, memory manager and device drivers, as well as some high-level services such as file systems, cryptographic algorithm systems or filtering systems.                a second, communication level 14 comprises the software applications, in particular forming the protocol stacks required to send or receive data via a telecommunications network using a communications protocol.        
In a protocol stack each layer solves a specific number of problems regarding data transmission and provides well-defined services to the upper layers of the first level 16. These top layers are closer to the user and manage more abstract data by using the services of the lower layers which edit these data so they can be sent over a physical medium.                a third, media level 12 forming the interface between the server 17 and an external network 10 or 11. This level 12 typically conforms to the Ethernet protocol implementing a physical layer and a software sub-layer, i.e. the media access control (MAC) layer of the OSI model.        
A gateway server 17 of this type can have a filtering function intended to ensure the transmission of data 13 received, for example, from an unsecured network 10 such as the Internet network to a sensitive network 11. In this case, these data 13 are processed:                by the Ethernet level 12 of the gateway server 17 so as to enable processing of said data in the server, then        by the communication level 14 comprising a TCP/IP (transmission control protocol and Internet protocol) protocol stack so as to generate data transmitted in accordance with transport protocols conforming to application protocols, then lastly        by the control level 16 implementing high-level filtering services making it possible, for example, to decrypt the data before they are sent to the sensitive network 11.        
The present invention is based on the fact that such a server, and the method required for its implementation, have drawbacks. In particular, they have weaknesses in terms of the complexity of a monolithic kernel and the architecture of a computer system which does not allow formal verification of the vulnerability of a gateway server.
More specifically, no mechanism makes it possible to prove that the data from 10 subsequently pass through all the filtering steps performed by the levels 12, 14 and 16. A voluntary or accidental dysfunction 15 may thus occur over one of these levels 12 or 14 and may lead to a bypassing of the control level 16.
By way of example, such a dysfunction 15 is demonstrated at the communication level 14, for example within the layer specific to the TCP/IP stack. In this case, this dysfunction 15 transmits data coming from the network 10 to the network 11 without the prior transmission of said data to the control level 16.
It is thus possible to access the network 11 independently of the rules of transmission which must be applied by the control level 16, which constitutes an unacceptable flaw of the server 17.